If there were not enough space in output buffer
hfp_gw_result_get_string() and hfp_gw_result_get_unquoted_string()
wcould return true, but resulting string would not be NULL terminated.
---
src/shared/hfp.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/src/shared/hfp.c b/src/shared/hfp.c
index 1be53fb..e481360 100644
--- a/src/shared/hfp.c
+++ b/src/shared/hfp.c
@@ -308,13 +308,17 @@ bool hfp_gw_result_get_string(struct hfp_gw_result *result, char *buf,
result->offset++;
while (data[result->offset] != '\0' && data[result->offset] != '"') {
- if (i < len)
- buf[i++] = data[result->offset];
+ if (i == len)
+ return false;
+
+ buf[i++] = data[result->offset];
result->offset++;
}
- if (i < len)
- buf[i++] = '\0';
+ if (i == len)
+ return false;
+
+ buf[i] = '\0';
if (data[result->offset] == '"')
result->offset++;
@@ -342,13 +346,17 @@ bool hfp_gw_result_get_unquoted_string(struct hfp_gw_result *result, char *buf,
while (data[result->offset] != '\0' && data[result->offset] != ','
&& data[result->offset] != ')') {
- if (i < len)
- buf[i++] = data[result->offset];
+ if (i == len)
+ return false;
+
+ buf[i++] = data[result->offset];
result->offset++;
}
- if (i < len)
- buf[i++] = '\0';
+ if (i == len)
+ return false;
+
+ buf[i] = '\0';
next_field(result);
--
1.9.0
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
